Published: 18/11/2014 Updated: 12/10/2018
CVSS v2 Base Score: 9 | Impact Score: 10 | Exploitability Score: 8

Vulnerability Summary

The Kerberos Key Distribution Center (KDC) in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, and Windows Server 2012 Gold and R2 allows remote authenticated domain users to obtain domain administrator privileges via a forged signature in a ticket, as exploited in the wild in November 2014, aka "Kerberos Checksum Vulnerability."

Vector: AV:N/AC:L/Au:S/C:C/I:C/A:C
Access Complexity: LOW
Authentication: SINGLE
Access Vector: NETWORK
Confidentiality Impact: COMPLETE
Integrity Impact: COMPLETE
Availability Impact: COMPLETE

Affected Products


#!/usr/bin/python # MS14-068 Exploit # Author # ------ # Sylvain Monne # Contact : sylvain dot monne at solucom dot fr # twittercom/bidord import sys, os from random import getrandbits from time import time, localtime, strftime from kekccache import CCache, get_tgt_cred, kdc_rep2ccache from kekcrypto import generate_subkey, ntlm_has ...

Metasploit Modules

MS14-068 Microsoft Kerberos Checksum Validation Vulnerability

This module exploits a vulnerability in the Microsoft Kerberos implementation. The problem exists in the verification of the Privilege Attribute Certificate (PAC) from a Kerberos TGS request, where a domain user may forge a PAC with arbitrary privileges, including Domain Administrator. This module requests a TGT ticket with a forged PAC and exports it to a MIT Kerberos Credential Cache file. It can be loaded on Windows systems with the Mimikatz help. It has been tested successfully on Windows 2008.

msf > use auxiliary/admin/kerberos/ms14_068_kerberos_checksum
      msf auxiliary(ms14_068_kerberos_checksum) > show actions
      msf auxiliary(ms14_068_kerberos_checksum) > set ACTION <action-name>
      msf auxiliary(ms14_068_kerberos_checksum) > show options
            ...show and set options...
      msf auxiliary(ms14_068_kerberos_checksum) > run

Github Repositories

as-rep-roast Author Jason Martinsen Python code to execute an AS-REP Roasting attack USE ONLY AGAINST AUTHORIZED TARGETS Usage : USAGE: as-rep-roastpy -u &lt;userName&gt;@&lt;domainName&gt; -d &lt;domainControlerAddr&gt; Hashcat compatible output will be piped to screen and to hashcatout file This code is based on the code from the below project

Python Kerberos Exploitation Kit PyKEK (Python Kerberos Exploitation Kit), a python library to manipulate KRB5-related data (Still in development) For now, only a few functionalities have been implemented (in a quite Quick'n'Dirty way) to exploit MS14-068 (CVE-2014-6324) More is coming Author Sylvain Monné Contact : sylvain dot monne at solucom dot fr ht

License DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE Version 3, August 2017 Everyone is permitted to copy and distribute verbatim or modified copies of this license document, and changing it is allowed as long as the name is changed DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION You just DO WHAT THE FUCK YOU WANT TO

██╗ ██╗███████╗██╗ ██████╗ ███████╗██╗ ██╗██╗ ██║ ██║██╔════╝██║ ██╔══██╗██╔════╝██║ ██║██║ ███████║█████╗ ██║ ██████╔╝████

Recent Articles

New APT Duqu 2.0 Hits High-Value Victims, Including Kaspersky Lab
Threatpost • Dennis Fisher • 10 Jun 2015

The Duqu attackers, who are considered by researchers to be at the top of the food chain of APT groups and are responsible for attacking certificate authorities and perhaps spying on Iran’s nuclear program, have resurfaced with a new platform that was used to compromise high-profile victims, including some related to the Iran nuclear talks last fall.
The new spate of attacks was discovered by researchers at Kaspersky Lab after they uncovered evidence that some of the company’s own syst...